Merge branch 'main' into feature/access-token-detector

2025-06-02 00:22:04 +09:00 · 2025-06-02 00:22:04 +09:00 · b1c10b0739
commit b1c10b0739
parent 96452cf9fa db242c4465
12 changed files with 81 additions and 226 deletions
--- a/.gitignore
+++ b/.gitignore
@ -220,5 +220,6 @@ dist/*
 packages/frontend/dist
 packages/backend/dist
 #!dist/*.zip
 dist/plugin_package.zip
 # End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux
--- a/dist/plugin_package.zip
+++ b/dist/plugin_package.zip
--- a/packages/backend/src/controller/csrfCheck.ts
+++ b/packages/backend/src/controller/csrfCheck.ts
@ -5,18 +5,27 @@ import { HttpUtils } from "../utils/http";
 const httpUtils = new HttpUtils();
 export class CsrfCheck {
  private isTargetUri(uri: string): boolean {
    if (
      uri.includes("client_id=") &&
      (uri.includes("response_type=") ||
        uri.includes("grant_type=") ||
        uri.includes("redirect_uri=") ||
        uri.includes("scope=") ||
        uri.includes("state=") ||
        uri.includes("nonce="))
    ) {
      return true;
    }
    return false;
  }
  private isOauthUri(request: Request): boolean {
-    const query = request.getQuery() || "";
+    const uri = request.getUrl() || "";
    // Check if the request is an OAuth authorization request
-    if (
+    if (this.isTargetUri(uri)) {
      query.includes("client_id=") &&
      (query.includes("response_type=") ||
        query.includes("grant_type=") ||
        query.includes("redirect_uri=") ||
        query.includes("scope=") ||
        query.includes("state="))
    ) {
      return true;
    }
@ -25,23 +34,10 @@ export class CsrfCheck {
  private isOauthRedirectResponse(response: Response): boolean {
    const status = response.getCode();
-    const locationHeader = httpUtils.getHeaderValue(
+    const uri =
-      response.getHeaders(),
+      httpUtils.getHeaderValue(response.getHeaders(), "location") || "";
      "location"
    );
-    if (
+    if (status >= 300 && status < 400 && this.isTargetUri(uri)) {
      status >= 300 &&
      status < 400 &&
      locationHeader &&
      (locationHeader.includes("client_id=") ||
        locationHeader.includes("response_type=") ||
        locationHeader.includes("grant_type=") ||
        locationHeader.includes("redirect_uri=") ||
        locationHeader.includes("scope=") ||
        locationHeader.includes("state=") ||
        locationHeader.includes("code=")) // code is also common in OAuth redirects
    ) {
      return true;
    }
    return false;
@ -49,7 +45,9 @@ export class CsrfCheck {
  private isStateInQuery(request: Request): boolean {
    const query = request.getQuery();
-    const stateValue = httpUtils.getQueryParam(query || "", "state");
+    const stateValue =
      httpUtils.getQueryParam(query || "", "state") ||
      httpUtils.getQueryParam(query || "", "nonce");
    if (!stateValue) {
      return false;
    }
@ -72,17 +70,18 @@ export class CsrfCheck {
    // 요청에서 보낸 state 추출
    const query = request.getQuery() || "";
-    const originalState = httpUtils.getQueryParam(query, "state");
+    const originalState =
      httpUtils.getQueryParam(query, "state") ||
      httpUtils.getQueryParam(query || "", "nonce");
    // 리다이렉트 URL에서 쿼리 부분만 추출
    const locationHeader = httpUtils.getHeaderValue(
      response.getHeaders(),
      "location"
    );
-    const responseState = httpUtils.getQueryParamFromURI(
+    const responseState =
-      locationHeader || "",
+      httpUtils.getQueryParamFromURI(locationHeader || "", "state") ||
-      "state"
+      httpUtils.getQueryParamFromURI(locationHeader || "", "nonce");
    );
    // state가 없거나, 요청값과 다르면 CSRF 위험
    if (!responseState) {
--- a/packages/backend/src/controller/nonceCheck.ts
+++ b/packages/backend/src/controller/nonceCheck.ts
@ -1,4 +1,4 @@
-import type { Request } from "caido:utils";
+import type { Request, Response } from "caido:utils";
 import { TokenLeakCheck } from "./tokenLeakCheck";
 export class NonceCheckController{
@ -6,8 +6,8 @@ export class NonceCheckController{
     * 응답이 OIDC(OpenID Connect) 플로우인지 확인하는 메서드
     */
-    public static isOidcFlow(req: Request): boolean {
+    public static isOidcFlow(req: Request, res:Response): boolean {
-        if(TokenLeakCheck.extractIdToken(req)) {
+        if(TokenLeakCheck.extractIdToken(req, res)) {
            return true;
        }
        return false;
@ -15,10 +15,10 @@ export class NonceCheckController{
    public static isNonceCheckRequest(req: Request): boolean {
-        const id_token = decodeIdToken(req);
+        const id_token = TokenLeakCheck.decodeIdToken(req);
        // 1. nonce 파라미터가 포함된 요청인지 확인
-        if (id_token.includes("nonce=")) {
+        if (id_token && id_token.includes("nonce=")) {
            return true;
        }
@ -26,8 +26,4 @@ export class NonceCheckController{
    }
 }
 function decodeIdToken(req: Request): string {
    // Implement actual decoding logic here. For now, return an empty string or mock value.
    return "";
 }
--- a/packages/backend/src/controller/tokenLeakCheck.ts
+++ b/packages/backend/src/controller/tokenLeakCheck.ts
@ -1,8 +1,8 @@
-import type { Request } from "caido:utils";
+import type { Request,Response } from "caido:utils";
 import jwt from "jsonwebtoken";
 export class TokenLeakCheck {
-  public static extractIdToken(req: Request): string | null {
+  public static extractIdToken(req: Request, res?: Response): string | null {
    // 1. Authorization 헤더 확인\\
    const header = req.getHeaders() as Record<string, string | string[] | undefined>;
    const authHeader = header["authorization"] || header["Authorization"];
@ -16,19 +16,21 @@ export class TokenLeakCheck {
      return (query as Record<string, any>).id_token;
    }
-    // 3. POST 바디 안에 id_token이 있을 경우
+    // 3. response 안에 id_token이 있을 경우
-    const rawBody = req.getRaw();
+    if (res) {
-    const body = rawBody ? rawBody.toString() : "";
+      const rawBody = res.getRaw();
-    const match = body.match(/id_token=([^&\s]+)/);
+      const body = rawBody ? rawBody.toString() : "";
-    if (match && typeof match[1] === "string") {
+      const match = body.match(/id_token=([^&\s]+)/);
-      return decodeURIComponent(match[1]);
+      if (match && typeof match[1] === "string" ) {
        return decodeURIComponent(match[1]);
      }
    }
    return null;
  }
-  public static decodeIdToken(req: Request): Record<string, any> | null {
+  public static decodeIdToken(req: Request, res?: Response): Record<string, any> | null {
-    const token = this.extractIdToken(req);
+    const token = this.extractIdToken(req, res);
    if (!token) return null;
    const decoded = jwt.decode(token, { complete: true });
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -6,6 +6,7 @@ import { CsrfCheck } from "./controller/csrfCheck";
 import { PKCECheck } from "./controller/PKCECheck";
 import { AccessTokenLeakController } from "./controller/accessTokenDetector";
 import { ScopeDetection } from "./controller/scopeDetection";
 import { NonceCheckController } from "./controller/nonceCheck";
 export type API = DefineAPI<{}>;
@ -15,42 +16,42 @@ const csrfCheck = new CsrfCheck();
 const pkceCheckController = new PKCECheck();
 const tokenCheck = new AccessTokenLeakController();
 const ScopeDetectionController = new ScopeDetection();
 const nonceCheckController = new NonceCheckController();
 export function init(sdk: SDK<API>) {
-  // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
+  sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
-  //   const result = csrfCheck.checker(req);
+    await csrfCheck.checker(sdk, req, res);
    await pkceCheckController.test(sdk, req);
    await tokenCheck.testReq(sdk, req);
    await tokenCheck.testResp(sdk, res, req);
    await ScopeDetectionController.scan(sdk, req.getUrl());
-  //   if (result) {
+    if (NonceCheckController.isOidcFlow(req, res)) {
-  //     await sdk.findings.create({
+      await sdk.findings.create({
-  //       title: "Possible SSO Request Detected",
+        title: "OIDC Flow Detected",
-  //       description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
+        description: "The request appears to be part of an OIDC flow.",
-  //       request: req,
+        request: req,
-  //       reporter: "",
+        reporter: "",
-  //     });
+      });
  //   }
  // });
  sdk.events.onInterceptResponse(
    async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
      await csrfCheck.checker(sdk, req, resp);
      await pkceCheckController.test(sdk, req);
      await tokenCheck.testReq(sdk, req);
      await tokenCheck.testResp(sdk, resp, req);
      await ScopeDetectionController.scan(sdk, req.getUrl());
      // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
      //   const result =
      //     authZCodeGrantController.testReq(req) ||
      //     implicitGrantController.testReq(req);
      //   if (result) {
      //     await pkceCheckController.test(sdk, req);
      //     await sdk.findings.create({
      //       title: "Possible SSO Request Detected",
      //       description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
      //       request: req,
      //       reporter: "",
      //     });
    }
-  );
+  });
  /*
  sdk.events.onInterceptRequest(async (sdk, req: Request) => {
    const result =
      authZCodeGrantController.testReq(req) ||
      implicitGrantController.testReq(req);
    if (result) {
      await pkceCheckController.test(sdk, req);
      await sdk.findings.create({
        title: "Possible SSO Request Detected",
        description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
        request: req,
        reporter: "",
      });
    }
  });
  */
 }
--- a/playground/pkce/.gitignore
+++ b/playground/pkce/.gitignore
@ -1,34 +0,0 @@
 # dependencies (bun install)
 node_modules
 # output
 out
 dist
 *.tgz
 # code coverage
 coverage
 *.lcov
 # logs
 logs
 _.log
 report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
 # dotenv environment variable files
 .env
 .env.development.local
 .env.test.local
 .env.production.local
 .env.local
 # caches
 .eslintcache
 .cache
 *.tsbuildinfo
 # IntelliJ based IDEs
 .idea
 # Finder (MacOS) folder config
 .DS_Store
--- a/playground/pkce/README.md
+++ b/playground/pkce/README.md
@ -1,15 +0,0 @@
 # playground
 To install dependencies:
 ```bash
 bun install
 ```
 To run:
 ```bash
 bun run 
 ```
 This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime.
--- a/playground/pkce/bun.lock
+++ b/playground/pkce/bun.lock
@ -1,25 +0,0 @@
 {
  "lockfileVersion": 1,
  "workspaces": {
    "": {
      "name": "playground",
      "devDependencies": {
        "@types/bun": "latest",
      },
      "peerDependencies": {
        "typescript": "^5",
      },
    },
  },
  "packages": {
    "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="],
    "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="],
    "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],
    "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
  }
 }
--- a/playground/pkce/package.json
+++ b/playground/pkce/package.json
@ -1,10 +0,0 @@
 {
  "name": "playground",
  "private": true,
  "devDependencies": {
    "@types/bun": "latest"
  },
  "peerDependencies": {
    "typescript": "^5"
  }
 }
--- a/playground/pkce/src/PKCEDowngradeExpress.js
+++ b/playground/pkce/src/PKCEDowngradeExpress.js
@ -1,31 +0,0 @@
 const express = require("express");
 const app = express();
 app.get("/auth", (req, res) => {
  const {
    client_id,
    response_type,
    code_challenge,
    code_challenge_method,
    scope
  } = req.query;
  console.log("Incoming request:", req.query);
  if (!client_id || response_type !== "code") {
    return res.status(400).send("Missing required parameters");
  }
  // Simulate issuing an authorization code
  const code = "dummy-auth-code";
  // Simulate PKCE check (normally you'd validate here)
  // We deliberately allow the downgrade here to simulate the vulnerability
  const responseBody = `Authorization successful. code=${code}`;
  return res.status(200).send(responseBody);
 });
 const PORT = 5050;
 app.listen(PORT, () => {
  console.log(`Test PKCE server running on http://localhost:${PORT}`);
 });
--- a/playground/pkce/tsconfig.json
+++ b/playground/pkce/tsconfig.json
@ -1,29 +0,0 @@
 {
  "compilerOptions": {
    // Environment setup & latest features
    "lib": ["ESNext"],
    "target": "ESNext",
    "module": "Preserve",
    "moduleDetection": "force",
    "jsx": "react-jsx",
    "allowJs": true,
    // Bundler mode
    "moduleResolution": "bundler",
    "allowImportingTsExtensions": true,
    "verbatimModuleSyntax": true,
    "noEmit": true,
    // Best practices
    "strict": true,
    "skipLibCheck": true,
    "noFallthroughCasesInSwitch": true,
    "noUncheckedIndexedAccess": true,
    "noImplicitOverride": true,
    // Some stricter flags (disabled by default)
    "noUnusedLocals": false,
    "noUnusedParameters": false,
    "noPropertyAccessFromIndexSignature": false
  }
 }